Hi all,
I am trying to use the recent module to stop the slate of attacks I get
everyday, but I am not sure my understanding of its logic it is correct.
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m
recent --update --seconds 1800 --hitcount 5 --name ssh-defensive
--rsource -j DROP
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m
recent --set --name ssh-defensive --rsource
I am testing this solution - which works as intended - but the packet
counters do not make sense to me, during my test
I start the ssh client, I get the prompt asking for the password and I
immediately check the iptables counters:
Chain INPUT (policy ACCEPT 81 packets, 8996 bytes)
pkts bytes target prot opt in out source
destination
1 52 LOG tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22 LOG flags 0 level 4
0 0 DROP tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 state NEW recent: UPDATE seconds: 1800
hit_count: 5 name: ssh-defensive side: source
1 52 tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 state NEW recent: SET name:
ssh-defensive side: source
I expected to see more packets, what about the TCP handshake ?
Thanks in advance,
Pietro
"And therefore never send to know for whom the bell tolls"
pulsarpietro@xxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
